session_id() error

Question

Though I'm not so specific about session_id(),

i am using a code in php like this

in a.php i'm using this code

$_SESSION['sid']=session_id();

when i'm in b.php, i am echoing the session sid and then unsetting it like this..

echo $_SESSION['sid'];
unset($_SESSION['sid']);

which displays d5tk0123nmj56

again when i am visiting a.php and then b.php i am again getting the same result d5tk0123nmj56

shudnt the second time session sid be different??? because i already unset the session in b.php..

EDIT:

i am testing it in localhost

ANOTHER EDIT

to explain u all descriptively, .. i am using a cart system, in which first i am checking whether a user is logged in by his email id, hence $_session['logged_user']=user_email is one session.. i am using $_session['sid']=session_id() as a unique session to identify the transaction for a cart, after the user checks out(pays) he may again buy something with his status being logged in, then i must again check whether he is logged in(logged_user thus needs to exist), and for next transaction i want to assign him another value for $_SESSION['sid']=a new session_id();

as i know(may be i am wrong) session_destroy() kills all the user session, and that will destroy the session $_SESSION['logged_user'] also..

Answer 1

To generate a new session id and store it in the place of the old id:

$_SESSION['sid']=session_regenerate_id(true);

Answer 2

This is because the user still has the same session, at no point are you ending it from the user's point of view. You're just unsetting some session data on the server-side.

The session ID is sent to the server via a cookie (by default called PHPSESSID). In b.php you are unsetting the session data on the server side, but the next time the user visits a.php, they'll be sending the same cookie and starting a session with the same ID as before.

• To unset the server-side session data, you should use session_destroy(). (This won't change the session id or unset the client-side cookie)
• To generate a new session ID, you can use session_regenerate_id(true). (This will overwrite the client-side cookie with a new session identifier. It won't destroy the server-side information associated with the session)

To completely end a users' session, you need to destroy both the server-side information, the client-side cookie, and generate a new session identifier. Here's a quick example,

<?php
    session_start();    
    $_SESSION['blah'] = true;

    var_dump(session_id()); // q4ufhl29bg63jbhr8nsjp665b1
    var_dump($_SESSION);    // blah = true

    session_unset();
    session_destroy();
    setcookie("PHPSESSID", "", 1); // See note below
    session_start();
    session_regenerate_id(true);

    var_dump(session_id()); // gigtleqddo84l8cm15qe4il3q3
    var_dump($_SESSION);    // (empty)
?>

The headers will show the session ID changing on the client-side:

Request Header
Cookie:PHPSESSID=q4ufhl29bg63jbhr8nsjp665b1

Response Header
Set-Cookie:PHPSESSID=deleted; expires=Mon, 27-Dec-2010 16:47:57 GMT
PHPSESSID=gigtleqddo84l8cm15qe4il3q3; path=/

(You can get away without the setcookie() call here, since you're creating a new session anyway, so the cookie will be overwritten by the new ID, but it's good practice to explicitly destroy the old cookie).

Answer 3

you unset the server-global-var $_SESSION['sid'], not the real session id

use session_destroy(); to "unset" the session_id

PHP: session_destroy() Manual

Answer 4

You didn't kill the session that way, you just unset a variable that held session ID. If you did:

$unsetMe = session_id();
unset($unsetMe);

you'd just unset a variable, nothing would be done to a session. You need to use:

session_destroy();

Answer 5

I think you want to destroy the session. Try

session_destroy(); 

To regenerate the session id Try:

session_regenerate_id(true);